Critical SAP NetWeaver Vulnerability Let Attackers Bypass Authorization Checks
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security vulnerability has been discovered in SAP NetWeaver Application Server for ABAP that allows authenticated attackers to bypass standard authorization checks and escalate their privileges within enterprise systems.
The vulnerability, tracked as CVE-2025-42989 and assigned a CVSS score of 9.6, was addressed in SAP’s June 2025 Security Patch Day alongside 13 other security updates.
The vulnerability uncovered by Onapsis resides within the Remote Function Call (RFC) framework of SAP NetWeaver Application Server AS ABAP, specifically affecting transactional RFC (tRFC) and queued RFC (qRFC) operations.
RFC Framework Flaw Enables Privilege Escalation
Under certain conditions, authenticated attackers can bypass the standard authorization check on the critical S_RFC authorization object, which normally governs access to RFC function modules and function groups.
SAP Security Note #3600840 addresses this critical missing authorization check that occurs during RFC inbound processing .
The flaw allows low-privileged authenticated users to execute function modules without proper authorization verification, resulting in significant privilege escalation that can critically impact both system integrity and availability .
The vulnerability affects multiple SAP NetWeaver kernel versions, including 7.89, 7.93, 9.14, and 9.15.
The RFC framework serves as a cornerstone for data exchange in SAP landscapes, making this vulnerability particularly dangerous as it affects core communication mechanisms between SAP systems, reads the Onapsis report.
Attackers exploiting this flaw can execute unauthorized operations that would normally require elevated S_RFC permissions, bypassing the function group-level authorization checks that protect critical system functions .
Risk Factors Details Affected ProductsSAP NetWeaver Application Server for ABAP KERNEL 7.89, KERNEL 7.93 , KERNEL 9.14 , KERNEL 9.15 ImpactPrivilege Escalation Exploit PrerequisitesAuthenticated user access required No user interaction required CVSS 3.1 Score9.6 (Critical)
Configuration Changes Required
Organizations implementing SAP Security Note #3600840 must perform several critical configuration changes to fully address the vulnerability.
The patch may require administrators to assign additional S_RFC permissions to existing users who previously relied on the flawed authorization mechanism.
SAP has published FAQ Note #3601919 to help administrators identify affected users and implement proper role adjustments .
A crucial technical requirement involves activating the enhanced RFC authorization check by setting the profile parameter rfc/authCheckInPlaybook to 1 after completing the necessary role adjustments.
This parameter enables the corrected authorization verification process that properly validates S_RFC permissions during tRFC and qRFC operations .
The implementation must be carefully planned as the authorization changes could impact existing system integrations that depend on RFC communications .
The vulnerability specifically affects RFC inbound processing, where the system fails to perform necessary authorization checks for authenticated users.
This creates a dangerous scenario where malicious actors can leverage legitimate user credentials to execute privileged operations without possessing the appropriate S_RFC authorizations.
Security experts strongly recommend the immediate implementation of SAP Security Note #3600840 due to the critical nature of this vulnerability.
The flaw’s high CVSS score of 9.6 reflects its potential for widespread impact across SAP environments, particularly given NetWeaver’s role as a core component in most SAP installations.
The June 2025 SAP Security Patch Day released 19 total security notes, including two HotNews notes and seven High Priority notes, with this RFC framework vulnerability representing the most critical threat.
Organizations should prioritize this patch alongside other critical updates, including ongoing security concerns with SAP Visual Composer that have been targeted in recent months.
The vulnerability’s potential for privilege escalation makes it an attractive target for attackers seeking to compromise SAP environments and access sensitive business data.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical SAP NetWeaver Vulnerability Let Attackers Bypass Authorization Checks
Author: Guru BaranA critical security vulnerability has been discovered in SAP NetWeaver Application Server for ABAP that allows authenticated attackers to bypass standard authorization checks and escalate their privileges within enterprise systems.
The vulnerability, tracked as CVE-2025-42989 and assigned a CVSS score of 9.6, was addressed in SAP’s June 2025 Security Patch Day alongside 13 other security updates.
The vulnerability uncovered by Onapsis resides within the Remote Function Call (RFC) framework of SAP NetWeaver Application Server AS ABAP, specifically affecting transactional RFC (tRFC) and queued RFC (qRFC) operations.
RFC Framework Flaw Enables Privilege Escalation
Under certain conditions, authenticated attackers can bypass the standard authorization check on the critical S_RFC authorization object, which normally governs access to RFC function modules and function groups.
SAP Security Note #3600840 addresses this critical missing authorization check that occurs during RFC inbound processing .
The flaw allows low-privileged authenticated users to execute function modules without proper authorization verification, resulting in significant privilege escalation that can critically impact both system integrity and availability .
The vulnerability affects multiple SAP NetWeaver kernel versions, including 7.89, 7.93, 9.14, and 9.15.
The RFC framework serves as a cornerstone for data exchange in SAP landscapes, making this vulnerability particularly dangerous as it affects core communication mechanisms between SAP systems, reads the Onapsis report.
Attackers exploiting this flaw can execute unauthorized operations that would normally require elevated S_RFC permissions, bypassing the function group-level authorization checks that protect critical system functions .
Risk Factors Details Affected ProductsSAP NetWeaver Application Server for ABAP KERNEL 7.89, KERNEL 7.93 , KERNEL 9.14 , KERNEL 9.15 ImpactPrivilege Escalation Exploit PrerequisitesAuthenticated user access required No user interaction required CVSS 3.1 Score9.6 (Critical)
Configuration Changes Required
Organizations implementing SAP Security Note #3600840 must perform several critical configuration changes to fully address the vulnerability.
The patch may require administrators to assign additional S_RFC permissions to existing users who previously relied on the flawed authorization mechanism.
SAP has published FAQ Note #3601919 to help administrators identify affected users and implement proper role adjustments .
A crucial technical requirement involves activating the enhanced RFC authorization check by setting the profile parameter rfc/authCheckInPlaybook to 1 after completing the necessary role adjustments.
This parameter enables the corrected authorization verification process that properly validates S_RFC permissions during tRFC and qRFC operations .
The implementation must be carefully planned as the authorization changes could impact existing system integrations that depend on RFC communications .
The vulnerability specifically affects RFC inbound processing, where the system fails to perform necessary authorization checks for authenticated users.
This creates a dangerous scenario where malicious actors can leverage legitimate user credentials to execute privileged operations without possessing the appropriate S_RFC authorizations.
Security experts strongly recommend the immediate implementation of SAP Security Note #3600840 due to the critical nature of this vulnerability.
The flaw’s high CVSS score of 9.6 reflects its potential for widespread impact across SAP environments, particularly given NetWeaver’s role as a core component in most SAP installations.
The June 2025 SAP Security Patch Day released 19 total security notes, including two HotNews notes and seven High Priority notes, with this RFC framework vulnerability representing the most critical threat.
Organizations should prioritize this patch alongside other critical updates, including ongoing security concerns with SAP Visual Composer that have been targeted in recent months.
The vulnerability’s potential for privilege escalation makes it an attractive target for attackers seeking to compromise SAP environments and access sensitive business data.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
